After what appeared to be a mutually respectful agreement to prevent the cyber-theft of corporate secrets between the two nations, it looks like Chinese governmental hackers have been unable hold themselves back from the temptation.
Reports suggest that as many as seven US-based firms have experienced attempted or successful penetration attacks in the three weeks following the signing of the new accord. An agreement was established, signed and ratified by President Barak Obama and Chinese President Xi Jinping on September 25 2015.
Never knowingly under-cyberhacked
The agreement itself sets out to state that Washington and Beijing would not spy on each other for commercial reasons. Reuters describes the treaty as one where neither government would knowingly support cyber-theft of corporate secrets to support domestic businesses.
According to the Reuters news agency, “The agreement stopped short of restricting spying to obtain government secrets, including those held by private contractors.”
A technical validation and explanation of the hacks in question has been provided by security company CrowdStrike Inc, which had software installed at five US technology and two pharmaceutical companies. CrowdStrike said that its endpoint protection, threat intelligence and targeted attacks services had detected and rebuffed the attacks themselves.
The trail for the hacks themselves was traced to the Chinese government by CrowdStrike co-founder Dmitri Alperovitch who alleges that the connection can be made based on the servers and software used in the attacks.
The hackers have previously been dubbed Deep Panda by CrowdStrike. The software in use is thought to be a program known as Derusbi.
CrowdStrike has published its own blog on this event and said that the primary benefits of the intrusion seem to be “clearly aligned to facilitate theft of intellectual property and trade secrets” in this case. The company further states that it does not assess that the hacks have been carried out “to conduct traditional, national-security-related intelligence collection", in its opinion.
ABC news Australia notes that Chinese foreign ministry spokeswoman Hua Chunying repeated that the Chinese government opposed all forms of hacking or stealing commercial secrets.
Opinions from a special agent
SCMagazineUK.com followed this story up with Leo Taddeo, chief security officer of Cryptzone. Taddeo is a former special agent in charge of the Special Operations/Cyber Division of the FBI's New York Office).
"The question of whether the cyber-agreement will have any lasting effect on US cyber-security has two parts. The first is whether President Xi Jinping intends to honour it as interpreted by the Obama administration. The second is whether President Xi could put a halt to China's cyber-spying even if he wanted to. Both parts seem highly unlikely,” said Taddeo.
The former special agent continued by saying that China's cyber-spying agencies have produced spectacular results in the past decade. “It's hard to believe China would agree to dismantle a large part of these organisations just because the US has asked them to do so. What's more, it's hard to believe the cyber-warriors who make up these organisations could be effectively contained.”
Taddeo says that unlike tanks and aircraft, cyber-weapons can be carried on portable media, like a thumb drive. So despite orders to the contrary, China's cyber-warriors could and would continue to attack US networks with the full capability of a state-sponsored cyber-arsenal.
“In fact, many of China's military cyber-elite are already moonlighting as hackers-for-hire in underground markets. If the order came to stand down, do we really expect them to turn off their computers and look for a different line of work? The only thing we can say for sure about China's cyber-warriors is that they will continue to target US corporations and that they will be much harder to detect,” he added.
Taddeo concludes by saying that the fact is, the genie is out of the bottle.
“China's corporate cyber-espionage apparatus is too big and too effective to shut down. The specific activity detected by CrowdStrike may be the result of programs that were 'grandfathered' in to previously authorised activity. More likely, it is business as usual while they gear up to deploy better and stealthier tools," he said.
SCMagazineUK.com also spoke with Ed Wallace, director for advanced threats and incident response at MWR Infosecurity.
"No one can be surprised that the hacking attacks are on-going as countries have been spying on each other, getting caught and promising to not spy on each other for centuries - from the Egyptians in 1000 BC to the Chinese codifying it in Sun Tzu around 512 BC to the modern age. The techniques, purpose and tools have changed, but not the act itself,” said Wallace.
"The current proliferation in cyber-espionage is brought about by change in several key parameters – the focus on economic (as opposed to military or diplomatic) espionage, the reduction in cost (cyber-espionage enables a country to steal information from many more targets for little cost) and the minimal downside of 'getting caught'. No longer are we faced with photogenic spies, such as Anna Chapman; these days it's technical analysis and claims in the media – all of which can be denied. The current model has also given rise to many cases of cyber-espionage from contractors and third parties further muddying the attribution water,” he added.
Wallace says that these factors, coupled with massive benefits the industry and economy of an attacker, mean that there is little real incentive to desist, instead the number of countries with active cyber-espionage operations has exploded over the last three years (even if the same few countries still attract the media limelight.)
"The latest attack mentions the presence of the Dersubi family of malware, whilst this has been around for a few years like most malware used by advanced attackers, it frequently evolves making signature based defences ineffective. The malware has frequently been used by the Hidden Lynx hacker group which has been attributed to working on behalf of Chinese organisations and the government although there is nothing stopping other proficient attackers from using and developing their own variants,” said Wallace.
The MWR Infosecurity man concludes by saying that with the current global focus firmly on economic power, there is no reason for any country to stop such attacks and every reason to expect nation state supported attacks to continue.
“These will continue both directly and through a growing number of sub-contractors and criminal intermediaries; companies and organisations that do not adjust themselves to this new environment can expect to lose their competitive advantage as they haemorrhage intellectual property, research, and financial and corporate strategy," he said.